package org.springframework.vault.authentication;

import java.util.LinkedHashMap;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.util.Assert;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.AuthenticationSteps;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/GcpComputeAuthentication.class */
public class GcpComputeAuthentication extends GcpJwtAuthenticationSupport implements ClientAuthentication, AuthenticationStepsFactory {
    public static final String COMPUTE_METADATA_URL_TEMPLATE = "http://metadata/computeMetadata/v1/instance/service-accounts/{serviceAccount}/identity?audience={audience}&format={format}";
    private final GcpComputeAuthenticationOptions options;
    private final RestOperations googleMetadataRestOperations;

    public GcpComputeAuthentication(GcpComputeAuthenticationOptions gcpComputeAuthenticationOptions, RestOperations restOperations) {
        this(gcpComputeAuthenticationOptions, restOperations, restOperations);
    }

    public GcpComputeAuthentication(GcpComputeAuthenticationOptions gcpComputeAuthenticationOptions, RestOperations restOperations, RestOperations restOperations2) {
        super(restOperations);
        Assert.notNull(gcpComputeAuthenticationOptions, "GcpGceAuthenticationOptions must not be null");
        Assert.notNull(restOperations2, "Google Metadata RestOperations must not be null");
        this.options = gcpComputeAuthenticationOptions;
        this.googleMetadataRestOperations = restOperations2;
    }

    public static AuthenticationSteps createAuthenticationSteps(GcpComputeAuthenticationOptions gcpComputeAuthenticationOptions) {
        Assert.notNull(gcpComputeAuthenticationOptions, "CubbyholeAuthenticationOptions must not be null");
        return AuthenticationSteps.fromHttpRequest(AuthenticationSteps.HttpRequestBuilder.get(COMPUTE_METADATA_URL_TEMPLATE, gcpComputeAuthenticationOptions.getServiceAccount(), getAudience(gcpComputeAuthenticationOptions.getRole()), "full").with(getMetadataHttpHeaders()).as(String.class)).map(str -> {
            return createRequestBody(gcpComputeAuthenticationOptions.getRole(), str);
        }).login("auth/{mount}/login", gcpComputeAuthenticationOptions.getPath());
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() throws VaultException {
        return doLogin("GCP-GCE", signJwt(), this.options.getPath(), this.options.getRole());
    }

    @Override // org.springframework.vault.authentication.AuthenticationStepsFactory
    public AuthenticationSteps getAuthenticationSteps() {
        return createAuthenticationSteps(this.options);
    }

    protected String signJwt() {
        try {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("serviceAccount", this.options.getServiceAccount());
            linkedHashMap.put("audience", getAudience(this.options.getRole()));
            linkedHashMap.put("format", "full");
            return (String) this.googleMetadataRestOperations.exchange(COMPUTE_METADATA_URL_TEMPLATE, HttpMethod.GET, new HttpEntity(getMetadataHttpHeaders()), String.class, linkedHashMap).getBody();
        } catch (HttpStatusCodeException e) {
            throw new VaultLoginException("Cannot obtain signed identity", e);
        }
    }

    private static HttpHeaders getMetadataHttpHeaders() {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.set("Metadata-Flavor", "Google");
        return httpHeaders;
    }

    private static String getAudience(String str) {
        return String.format("https://localhost:8200/vault/%s", str);
    }
}
